= phenomenon = Fedora unnecessarily trusts root CA certificates by default, which have already been removed by Mozilla.
The additional trust was introduced 2 years ago for compatibility reasons, because of limitations in OpenSSL/GnuTLS/glib-networking. All known limitations have been removed already in the software that is shipped already in stable Fedora.
We should remove the unnecessary additional trust, and go back to alignment with the official Mozilla trust list.
= background analysis = For more details, see the email I've sent to the Fedora devel list on Monday, subject: "Suggestion to end support for legacy 1024-bit RSA root CAs in Fedora stable"
= implementation recommendation = Update the ca-certificates.spec package to remove the downstream patch. No code change, only changes to the static list and the spec file.
updating subject, clarify to do it for either alpha, or later
+1 from me, either way.
I'm +1 to the plan on list (basically submit the update now so it's in updates-testing for alpha users, but don't do any freeze break for it).
We don't need to discuss this at today's meeting. We resolved it last week and everyone is happy with the plan of action.
Login to comment on this ticket.